# Dudect Author: Oscar Reparaz, Josep Balasch and Ingrid Verbauwhede [Original paper](https://eprint.iacr.org/2016/1123.pdf) [Github](https://github.com/oreparaz/dudect) ## Abstract - A tool to assess whether a piece of code runs in constant time or not on a given platform. - Based on leakage detection techniques - Requires no modeling of hardware behavior ## Introduction Tools ready for detection of variable time code - ctgrind - Flow-tracker - ctverif A common drawback is that these methods have to model somehow the hardware ## Approach 1. Measure execution time 2. Apply post-processing 3. Apply statistical test ### Measure execution time Fix-vs-random tests * First class input data is fixed to a constant value, might be chosen to trigger certain “special” corner-case * Second class input data is chosen at random for each measurement ### Apply post-processing * Cropping Typical timing distributions are positively skewed towards larger execution times, could be caused by measurement artifacts, OS interupt, etc. * Higher-order preprocessing It may be beneficial to apply some higher-order pre-processing, such as centered product ### Apply statistical test Null hypothesis H0: “The two timing distributions are equal” #### t-test * [Welch’s t-test](https://en.wikipedia.org/wiki/Welch%27s_t-test) This tests for equivalence of means. Failure of this test trivially implies that there is a first-order timing information leakage  * Higher order leakage When coupled with cropping pre-processing, which is a non-linear transform, one is no longer testing only for equality of means but also for higher order statistical moments #### Non-parametric tests * More general non-parametric tests, such as Kolmogorov-Smirnov * Advantage Typically rely on fewer assumptions about the underlying distributions * Disadvantage May converge slower and require more samples ## Results ### Experiment A white-box evaluator * Random class Considers uniformly distributed random 16-byte strings * Fix class Fixes input to s  * A t value larger than 4.5 provides strong statistical evidence that the distributions are different * Timing leakage is detectable even when few thousand measurements are available ### Experiment 2 The value for the fixed class is set to 0, and not s as in the previous case  * The two timing distributions are much closer to each other, but they are still different * Need more measurements to get statistically significant results ### Constant-time implementation Analyze an implementation of memory comparison that is supposed to run in constant time  Distributions are indeed indistinguishable up to 20 millionmeasurements